Control Information

RA-2 Security Categorization

Description

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

Control Information

Responsible role(s) - Organization

RA-3 Risk Assessment

Description

The organization:

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control Information

Responsible role(s) - Organization

RA-5 Vulnerability Scanning

Description

The organization:

Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

Enumerating platforms, software flaws, and improper configurations;

Formatting checklists and test procedures; and

Measuring vulnerability impact;

Analyzes vulnerability scan reports and results from security control assessments;

Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Control Information

Responsible role(s) - Organization

RA-5 (1) Update Tool Capability

Description

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

Control Information

Responsible role(s) - Docker system

Component

Implementation Status(es)

Control Origin(s)

Docker Security Scanning (DSS)

complete

service provider hybrid

Docker Trusted Registry (DTR)

complete

service provider hybrid

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning (DSS) component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier can be used to scan Docker images for vulnerabilities against known vulnerability databases. Scans can be triggered either manually or when Docker images are pushed to DTR.

The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE) dictionary.

RA-5 (2) Update By Frequency / Prior To New Scan / When Identified

Description

The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

Control Information

Responsible role(s) - Docker system

Component

Implementation Status(es)

Control Origin(s)

Docker Security Scanning (DSS)

complete

service provider hybrid

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier compiles a bill of materials (BOM) for each Docker image that it scans. DSS is also synchronized to an aggregate listing of known vulnerabilities that is compiled from both the MITRE and NVD CVE databases. Additional information can be found at the following resources:

Implementation Details

To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier identifies vulnerabilities in a Docker image and marks them against predefined criticality levels; critical major and minor.

The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE).' dictionary

RA-5 (4) Discoverable Information

Description

The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].

Control Information

Implementation Details

For each Docker image pushed to Docker Trusted Registry at a given time, Docker Security Scaninng retains a list of vulnerabilities detected. The DTR API can be queried to retrieve the vulnerability scan results over a period of time for a given Docker image such that the results can be compared per the requirements of this control.

RA-5 (8) Review Historic Audit Logs

Description

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

Control Information

Responsible role(s) - Docker system

Component

Implementation Status(es)

Control Origin(s)

Docker Security Scanning (DSS)

complete

service provider hybrid

Implementation Details

Docker Security Scanning maintains a historical bill-of-materials (BOM) for all Docker images that are scanned. Results of previous vulnerability scans can be reviewed and audited per the requirements of this control.

RA-5 (10) Correlate Scanning Information

Description

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.